Académique Documents
Professionnel Documents
Culture Documents
Operating system
Windows Server 2008
Whats new
For information about each feature, special considerations, and how to prepare for deployment, see Changes in Functionality from Windows Server 2003 with Service Pack 1 (SP1) to Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=164410). For information about specific features in Active Directory Domain Services (AD DS) in Windows Server 2008, see Active Directory Domain Services Role (http://go.microsoft.com/fwlink/?LinkId=164414). Some functionality that was available in previous versions of Windows Server is deprecated in Windows Server 2008. For example, SMTP Replication is removed by default. For more information, see article 947057 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/? LinkId=164416). The Browser Service is disabled by default in Windows Server 2008 and Windows Server 2008 R2 domain controllers.
Windows For information about each feature, special considerations, and how to prepare for deployment, see Changes in Functionality from Server 2008 R2 Windows Server 2008 to Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=139049). For information about specific features in AD DS in Windows Server 2008 R2, see What's New in Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkID=139655). In Windows Server 2008 R2, Dcpromo.exe does not allow the creation of a domain that has a single-label Domain Name System (DNS) name. If you try to promote an additional domain controller in a domain that has a single-label DNS name (such as contoso, instead of contoso.com), the check box to install a DNS server is not available in Dcpromo.exe. Upgrading Windows Server 2003 domain controllers in Windows Server 2008 R2 and Windows Server 2008 R2 single-label domains is supported. Promoting additional Windows Server 2008 R2 and Windows Server 2008 R2 domain controllers into existing single-label DNS domains is supported. Windows Server 2008 R2 does not support MSMQ in domain mode for Windows NT 4 and Windows 2000 MSMQ clients running against Windows Server 2008 R2 domain controllers that have no Windows Server 2003 or Windows Server 2008 domain controllers in the same environment. For more information about other functionality in Windows Server 2003 that is deprecated in Windows 7 and Windows Server 2008 R2, see Deprecated Features for Windows 7 and Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=177815). For more information about other known issues for AD DS, see Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/? LinkId=164418).
System requirements for installing Windows Server 2008 and Windows Server 2008 R2
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx 1/17
For system requirements for Windows Server 2008, see System Requirements in Installing Windows Server 2008 (http://go.microsoft.com/fwlink/? LinkId=164421). For disk-space requirements for AD DS in Windows Server 2008, see Disk space and component location issues in Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=164423). For system requirements for Windows Server 2008 R2, see Installing Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=160341). For disk-space requirements for AD DS in Windows Server 2008 R2, see Disk space and component location issues in Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkID=164423). The AD DS database (Ntds.dit) on Windows Server 2008 R2 domain controllers can be larger than in previous versions of Windows, for the following reasons: There are changes in the online defragmentation process on Windows Server 2008 R2 domain controllers. Windows Server 2008 R2 Adprep /forestprep adds two new indices on the large link table. The Windows Server 2008 R2 Active Directory Recycle Bin feature, when it is enabled, preserves attributes on deleted objects for the recycled object lifetime. The Active Directory database on a Windows Server 2008 domain controller that is promoted into a Windows 2000 domain should be a size that is similar to the size of the Active Directory databases on the Windows 2000 domain controllers. While Windows Server 2008 R2 additions increase the database size, the addition of a single-instance store that is supported by domain controllers that run Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 offsets that increase. Windows Server 2008 R2 domain controllers are estimated to be 10 percent larger than Windows Server 2008 domain controllers, not counting the Active Directory Recycle Bin. In a production Windows Server 2008 R2 domain at Microsoft, the Active Directory Recycle Bin feature increased the database size by an additional 15 to 20 percent of the original AD DS database size, using the default deletedObjectLifetime and recycledObjectLifetime values of 180 days. Additional space requirements depend on the size and count of the objects that can be recycled. If an in-place upgrade to Windows Server 2008 or Windows Server 2008 R2 rolls back silently to the previous operating system version, check for sufficient free disk space on the partitions that host the AD DS database and log files.
For upgrades to Windows Server 2008, see Supported upgrade paths in Guide for Upgrading to Windows Server 2008 (http://go.microsoft.com/fwlink/? LinkID=146616). For upgrades to Windows Server 2008 R2, see Supported upgrade paths in Installing Windows Server 2008 R2 (http://go.microsoft.com/fwlink/? LinkID=160341) and Windows Server 2008 R2 Upgrade Paths (http://go.microsoft.com/fwlink/?LinkID=154894). When you upgrade existing domain controllers or promote new domain controllers into existing domains, consider the following: Computers running Windows NT 4 or Windows 2000 Server cannot be in-place upgraded to Windows Server 2008 or Windows Server 2008 R2. In-place upgrades from Windows Server 2003 or Windows Server 2003 R2 to Windows Server 2008 or Windows Server 2008 R2 are supported (subject to supported Windows Server 2008 R2 Upgrade Paths), with the following exception: x86-based operating systems cannot be in-place upgraded to x64based versions of Windows Server 2008 or Windows Server 2008 R2 (which only runs on x64-based computers). An x64-based version of Windows Server 2008 can be in-place upgraded to Windows Server 2008 R2. A writeable domain controller cannot be upgraded to be an RODC. The reverse is also true. A server that runs the full installation of Windows Server 2008 R2 cannot be upgraded to be a server that runs a Server Core installation of Windows Server 2008 R2. The reverse is also true. The best practice for adding new operating systems hosting the domain controller role is to promote replica domain controllers (as opposed to in-place upgrading existing DCs). Transfer FSMO roles and install additional server roles as required. Windows Server 2008 and Windows Server 2008 R2 both auto-install Internet Protocol version 6 (IPv6). Do not arbitrarily disable or remove IPv6. Windows Server 2008 R2 does not allow outbound trusts to be created between domains that have domain controllers that run Windows Server 2008 R2 and Windows NT 4 domains. Windows Server 2008 R2 inbound trusts with Windows NT 4.0 domains can be made to work but are not tested or supported. This can have an impact on the sequence in which you choose to upgrade domains and domain controllers. For example, suppose a domain with Windows Server 2003 domain controllers has a trust with a domain that has Windows NT 4 domain controllers. In this situation, you need to replace the domain controllers in the Windows NT 4 domain with domain controllers that run Windows 2000 or later before you upgrade or replace domain controllers in the Windows Server 2003 domain. If the domain controllers in the Windows Server 2003 domain are replaced or upgraded first in this situation, the trust between the domains will no longer function. first If you replace domain controllers, use the metadata cleanup method in Windows Server 2008 and Windows Server 2008 R2. Manually remove DNS and Windows Internet Name Service (WINS) records for the original role holder. For more information, see Clean Up Server Metadata (http://go.microsoft.com/fwlink/? LinkId=148150). If you want to migrate the AD DS server role, DNS server roles, IP address, computer name, and supporting configuration state, from an existing server to a new Windows Server 2008 or Windows Server 2008 R2 destination server, see AD DS and DNS Server Migration: Migrating the AD DS and DNS Server Roles (http://go.microsoft.com/fwlink/?LinkId=177812). For example, refer to this article if you want to ensure that the new server has the same IP address or server name as the legacy server, or if you have made configuration changes, such as registry changes or file-based DNS zones, on the legacy DNS server and you want them retained on the new DNS server.
Functional level features and requirements and considerations for operations master roles
Features that are enabled for Windows Server 2008 and Windows Server 2008 R2 domain and forest functional levels are documented in Understanding Domain and Forest Functionality (http://go.microsoft.com/fwlink/?LinkId=164555). Domain and forest functional level requirements for the deployment of Windows Server 2008 and Windows Server 2008 R2 domain controllers are as follows: Adprep /forestprep does not have any domain or forest functional level requirements.
Note
The import of PAS.LDF, which is normally completed by running Adprep /forestprep, requires a forest functional level higher than Windows 2000. If PAS.LDF is not imported because Adprep /forestprep was run when the forest functional level was Windows 2000, then a search using Active Directory Users and Computers for BitLocker Recovery Password can unexpectedly return 0 results. For more information, see Troubleshooting: Active Directory Users and Computers unexpectedly returns 0 results when searching for Bitlocker Recovery Password.
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
2/17
Adprep /domainprep requires a Windows 2000 native or higher domain functional level in each target domain. Adprep /rodcprep does not have any functional-level requirements. You can install Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 domain controllers in the same domain or forest without any functional-level requirement. The promotion of read-only domain controllers (RODCs) requires Windows Server 2003 forest functional level or higher. There are new well-known and built-in groups that area created after you upgrade or transfer the domain controller that holds the role of the primary domain controller (PDC) emulator master in each domain in the forest to Windows Server 2008 or Windows Server 2008 R2, or after you add a read-only domain controller (RODC) to your domain. For more information, see Appendix A: Background Information for Upgrading Active Directory Domains. There are no changes in Windows Server 2008 or Windows Server 2008 R2 to recommendations for placing operations master roles (also known as flexible single master operations or FSMO). For more information about current recommendations, see Planning Operations Master Role Placement (http://go.microsoft.com/fwlink/?LinkId=185222).
Windows NT 4
Not tested by Windows product groups and therefore not supported. CSS can provide best-effort support, but escalation support or hotfixes will not be provided.
Improved default security settings block domain join and maintaining a secure channel. Although not recommended, those operations can work after default security settings are relaxed. For more information, see article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/? Improved default security LinkId=164558). settings block establishing and maintaining domain join and a secure channel but those operations can work after default security settings are changed. For more information about outbound trusts between Windows Server 2008 R2 and Windows NT 4 domains, see article 2021766 (http://go.microsoft.com/fwlink/? LinkID=205835). Windows 2000 Fully tested and supported Fully tested and supported Fully tested and supported Fully tested and supported Not tested by Windows product groups and therefore not supported, but there are no known issues. CSS can provide best-effort support, but escalation support or hotfixes will not be provided. Not tested by Windows product groups and therefore not supported, but there are no known issues. CSS can provide best-effort support, but escalation support or hotfixes will not be provided. Fully tested and supported
Secure channels between computers running Windows NT 4.0 and Windows 7 or Windows Server 2008 R2 are not tested by Windows product groups and are therefore not supported. Affected operations include validation of trusts, creation of outbound trusts, domain joins, and authentications over secure channels. CSS can provide besteffort support, but escalation support or hotfixes will not be provided.
AllowNT4Crypto by default on d that run Windo Windows Serve more informatio default settings Windows Serve Windows Serve
Windows XP
Fully tested and supported Fully tested and supported Fully tested and supported
Fully tested and supported Fully tested and supported Fully tested and supported
Fully Fully tested and supported tested and supported Fully Fully tested and supported tested and supported Fully Fully tested and supported tested and supported
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
3/17
Windows Vista
Not tested by Windows product groups and therefore not supported. CSS can provide best-effort support, but escalation support or hotfixes are not provided. The domain controller operating system is beyond its supported lifecycle.
Windows Server Not tested by Windows product 2008 groups and therefore not supported. CSS can provide best-effort support, but escalation support or hotfixes are not provided. The domain controller operating system is beyond its supported lifecycle. Windows 7 Hard-block and cannot be made to work The domain controller operating system is beyond its supported lifecycle.
Unable to Join 2008 R2 or Win to Active Direc (http://go.micr LinkId=192570) Fully tested and supported Fully tested and supported Fully Fully tested and supported tested and supported Fully tested and supported
Windows Server Not tested by Windows product 2008 R2 groups and therefore not supported. CSS can provide best-effort support, but escalation support or hotfixes are not provided. The domain controller operating system is beyond its supported lifecycle. For more information about outbound trusts between Windows Server 2008 R2 and Windows NT 4 domains, see article 2021766 (http://go.microsoft.com/fwlink/? LinkID=205835).
The following table lists supportability information for client operating systems that interact with domain controllers. Windows XP, Windows Server 2003, Windows Vista, and Windows 7 client computers are fully compatible with writable Windows Server 2008 and Windows Server 2008 R2 domain controllers. For member-computer interoperability with RODCs, see Known Issues for Deploying RODCs (http://go.microsoft.com/fwlink/?LinkID=164418). For more information about which versions of Microsoft Exchange Server can interoperate with different versions of Windows, see Exchange Server Supportability Matrix (http://go.microsoft.com/fwlink/?LinkID=165034). The Group Chat feature in Office Communications Server 2007 R2 does not work in Windows Server 2008 R2 domains. For more information, see article 982020 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=190459), For more information about using Office Communications Server 2007 R2 with domain controllers that have different versions of Windows Server and different domain and forest functional levels, see Supported Active Directory Environments by Office Communications Server Version (http://go.microsoft.com/fwlink/?LinkId=190457). For a list of applications that are compatible or incompatible with Windows Server 2008, see article 948680 (http://go.microsoft.com/fwlink/? LinkId=184903) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=184903). For a list of applications that are compatible or incompatible with Windows Server 2008 R2, see Microsoft Server Applications Supported on Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=184918). For a list of applications that are compatible with RODCs, see Applications That Are Known to Work with RODCs (http://go.microsoft.com/fwlink/? LinkID=133779). Exchange Server requires a writable domain controller; therefore, it does not work with RODCs. It is not required to upgrade a certification authority (CA) that runs Windows Server 2003 when you upgrade domain controllers that run Windows Server
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
4/17
2003. But Windows Server 2008 and Windows Server 2008 R2 provide many new features and improvements related to CAs. For more information about what is new in Windows Server 2008, see Active Directory Certificate Services Role (http://technet.microsoft.com/en-us/library/cc753254(WS.10).aspx). For more information about what is new in Windows Server 2008 R2, see What's New in Active Directory Certificate Services(http://technet.microsoft.com/en-us/library/dd448537(WS.10).aspx). For information about how to move a CA from an older server to a new server, see AD CS Migration: Migrating the Certification Authority. For information about how to move a Certificate Server database and log files, see article 238193 (http://go.microsoft.com/fwlink/?LinkId=185023) in the Microsoft Knowledge Base. VM guests fail to start with error "insufficient system resources" when the AD DS server role is added to a RemoteFX-enabled Windows Server 2008 R2 SP1 Hyper-V host computer. The best practice is to not install the AD DS (domain controller) role on a computer that also hosts the Hyper-V server role. If you must have the Hyper-V and the AD DS roles installed on the same physical computer, do not install RemoteFX, a subcomponent of the Remote Desktop Virtual host. Windows Vista and Windows Server 2008 and later operating systems use a higher range of ports for outgoing connections than previous versions of Windows. The new default start port is 49152, and the default end port is 65535. If you receive errors indicating that the endpoint mapper is out of endpoints, especially after retiring domain controllers that run Windows 2000 or Windows Server 2003, you might need to reconfigure firewalls and routers to use the new default port range. For more information, see article 929851 (http://go.microsoft.com/fwlink/?LinkID=153117).
Known Issue
Domain controllers that host Active Directoryintegrated DNS zones and point to themselves as Preferred DNS servers experience lengthy startup times of 20 minutes or longer and see Event ID 4013 in the DNS log. When you open the DNS snap-in, you might see the following error message: The Server Win2k8DC could not be contacted. The error was: The server is unavailable. Would you like to add it anyway? When you open Active Directory Users and Computers, you might see this error message: Naming information could not be located. This error occurs when the DNS Server service is waiting for initial synchronization of AD DS to complete, but AD DS initial synchronization cannot complete because DNS records that must be resolved are stored in Active Directoryintegrated zones cannot be accessed by the local DNS server.
How to resolve
Try the following configuration changes to prevent the condition that logs Event ID 4013: Remove references in AD DS to domain controllers that no longer exist. Resume operations for domain controllers that are currently offline in your Active Directory forest. Avoid single points of failures in your DNS configuration. For example, list multiple Alternate DNS servers. Configure domain controllers that host Active Directoryintegrated DNS zones to point to other DNS servers in the same site and in hub sites. Stagger the restarts of DNS servers in your enterprise when possible. Install uninterruptible power supply (UPS) devices in strategic places to ensure the availability of DNS servers after power outages, and augment your UPS-backed DNS servers with onsite generators.
Windows Server 2008 DNS servers that are configured to use root hints for name resolution of Internet names can fail to resolve top-level domain names. DNS servers that run Windows Server 2008 R2 have Extension Mechanisms for DNS (EDNS) enabled by default.
If you notice queries that used to work on DNS servers that run Windows 2000, Windows Server 2003, or Windows Server 2008 fail after those DNS servers are upgraded or replaced with DNS servers that run Windows Server 2008 R2 or you notice that queries that the old DNS servers can resolve cannot be resolved by Windows Server 2008 R2 DNS servers, disable EDNS by using the following command: dnscmd /Config /EnableEDnsProbes 0 If you leave EDNS enabled and a DNS server running Windows Server 2008 R2 receives a Name Error 3 message from another DNS server running Windows Server 2008 R2, install hotfix 2550719 (http://support.microsoft.com/kb/2550719).
There are also hotfixes available to resolve other DNS-related problems. For more information, see Verifications that you can make and recommended hotfixes that you can install before you begin.
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
5/17
This section describes interoperability issues for IPv6 and AAAA resource records for DNS servers that run different versions of Windows Server. For more information about using DNS with IPV4 and IPv6, see Configuring DNS for IPv6/IPv4 Coexistence (http://go.microsoft.com/fwlink/?LinkId=186688).
Operation
Registers AAAA records Replicates AAAA records Supports AAAA record type Listens on IPv6 network interface Provides Dnscmd.exe IPv6 support
Known issues for upgrades to Windows Server 2008 and Windows Server 2008 R2
Release notes for Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=99299) Release notes for Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=139330)
Read the following release notes for more information about specific issues that can affect these versions of Windows Server:
Logoff takes several minutes if there is no LDAP connectivity to the forest root domain
When you log on or log off from a domain with a newly built client computer, you experience delays of about 5 to 10 minutes. This problem appears after you join the computer to an Active Directory domain. This affects computers that run Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2. The problem is caused by lack of connectivity between the client computer and the forest root domain controllers. For more information about the cause of this problem and the steps to take to resolve it, see article 971198 (http://go.microsoft.com/fwlink/?LinkId=184883) in the Microsoft Knowledge Base.
Secure default settings in Windows Server 2008 and Windows Server 2008 R2
Windows Server 2008 and Windows Server 2008 R2 domain controllers have the following secure default settings, compared to Windows 2000 and Windows Server 2003 domain controllers.
Encryption type Windows Windows Comment or policy Server 2008 Server 2008 R2 default default AllowNT4Crypto Disabled Disabled Third-party Server Message Block (SMB) clients may be incompatible with the secure default settings on Windows Server 2008 and Windows Server 2008 R2 domain controllers. In all cases, these settings can be relaxed to allow interoperability at the expense of security. For more information, see article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164558). Article 977321 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=177717) See Microsoft Security Advisory (937811) (http://go.microsoft.com/fwlink/?LinkId=164559) and article 976918 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=178251). Review and install the hotfix in article 977073 (http://go.microsoft.com/fwlink/?LinkId=186394) in the Microsoft Knowledge Base as required. Enabled Disabled Article 976918 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=178251)
Enabled N/A
Disabled Enabled
LMv2
Regardless of the virtual host software product that you are using, read Running Domain Controllers in Hyper-V (http://go.microsoft.com/fwlink/?LinkID=139651) for special requirements related to running virtualized domain controllers. Specific requirements include the following:
6/17
Avoid single points of failure such as having all domain controllers in a domain or forest on the same VM host, or the same SAN or datacenter, and so on. Do not stop or pause domain controllers. Do not restore snapshots of domain controller role computers. This action causes an update sequence number (USN) rollback that can result in permanent inconsistencies between domain controller databases. All physical-to-virtual (P2V) conversions for domain controller role computers should be done in offline mode. System Center Virtual Machine Manager enforces this for Hyper-V. For information about other virtualization software, see the vendor documentation. Configure virtualized domain controllers to synchronize with a time source in accordance with the recommendations for your hosting software. For more considerations about running domain controllers in virtual machines, see article 888794 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=141292).
The following changes have been made to local and remote administration tools for the Windows Server 2008 and Windows Server 2008 R2 operating systems. The installation of a server role, such as Active Directory Domain Services, by Server Manager also locally installs all GUI and command-line tools that you can use to administer that role. To install tools locally to manage other server roles, click Add Features in Server Manager. The GUI and command-line tools that were formerly in the Administrative Tools Pack (ADMINPACK.MSI), Support Tools (SUPPTOOLS.MSI), and Resource Kit tools have been consolidated into a single collection called Remote Server Administration Tools (RSAT), which you can obtain from the Microsoft Download Center and install on client operating systems such as Windows Vista or Windows 7. As 64-bit hardware and operating systems became more popular, x86-based (32-bit) and x64-based (64-bit) versions of administration tools were released. Additional steps are required to make the administration tools that RSAT installs appear in the Start menu of Windows Vista computers. For these additional steps, see the following procedure.
Configuring the Windows Time service for Windows Server 2008 and Windows Server 2008 R2
Make sure that you have the following domain controller roles configured properly to synchronize the Windows Time service (W32time). The forest-root primary domain controller (PDC) on a physical computer should synchronize time from a reliable external time source. For more information, see Configure the Windows Time service on the PDC emulator (http://go.microsoft.com/fwlink/?LinkId=91969). All other domain controllers that are installed on physical hardware or Hyper-V should use the default domain hierarchy (no configuration change required). For domain controllers running on non-Microsoft virtualization software, consult the vendor. Windows Server 2008 and Windows Server 2008 R2 domain controllers added time-rollback protection to help prevent domain controllers from adopting bad time. We recommend that you add time-rollback protection on Windows Server 2003 domain controllers and Windows Server 2008 and Windows Server 2008 R2 Hyper-V hosts by using Group Policy, making sure that you have the policy detail fixes in place before you do. For more information, see article 884776 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=178255). Finally, time on workgroup virtual host and domain-joined virtual host computers should be configured as follows: For workgroup host computers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Parameters\TYPE (REG_SZ) = NTP HKLM\system\CurrentControlSet\Services\W32Time\Parameters\NtpServer (REG_DWORD) = <fully qualified host name of time server, such as time.windows.com>,0x08 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval (REG_DWORD) = 900 (decimal) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection (REG_DWORD): 2a300 (hexadecimal) or 172800 (decimal) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection (REG_DWORD): 2a300 (hexadecimal) or 172800 (decimal) For domain-joined host computers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Config\MinPollInterval (REG_DWORD): 6 (decimal) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Config\MaxPollInterval (REG_DWORD): 10 (decimal)
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
7/17
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection (REG_DWORD): 2a300 (hexadecimal) or 172800 (decimal) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection (REG_DWORD): 2a300 (hexadecimal) or 172800 (decimal)
Verifications that you can make and recommended hotfixes that you can install before you begin
1. All domain controllers in the forest should meet the following conditions: a. Be online. b. Be healthy (Run dcdiag /v to see if there are any problems.) c. Have successfully inbound-replicated and outbound-replicated all locally held Active Directory partitions (repadmin /showrepl * /csv viewed in Excel). For more information, see CSV Format in Repadmin Requirements, Syntax, and Parameter Descriptions (http://go.microsoft.com/fwlink/? LinkID=147380). d. Have successfully inbound-replicated and outbound-replicated SYSVOL. e. Metadata for stale or nonexistent domain controllers, or domain controllers that cannot be made to replicate, should be removed from their respective domains. For more information, see Clean Up Server Metadata (http://go.microsoft.com/fwlink/?LinkId=148150). f. All domains must be at the Windows 2000 native functional level or higher to run adprep /domainprep. Windows NT 4.0 domain controllers are not permitted in this functional level. g. Have sufficient free disk space to accommodate the upgrade. For more information about disk-space requirements for Windows Server 2008 and Windows Server 2008 R2, see System requirements for installing Windows Server 2008 and Windows Server 2008 R2. The task for administrators is to accurately forecast the immediate and long-term growth for Ntds.dit files on Windows Server 2008 and Windows Server 2008 R2 domain controllers so that hard drives and partitions that host Active Directory files can be sized properly on physical and virtual domain controllers. 2. Check for incompatibilities with secure defaults in Windows Server 2008 and Windows Server 2008 R2. For more information, see Secure default settings in Windows Server 2008 and Windows Server 2008 R2. 3. Download the latest service pack and relevant hotfixes that apply to your Active Directory forest before you deploy Windows Server 2008 or Windows Server 2008 R2 domain controllers. a. For upgrades to either Windows Server 2008 or Windows Server 2008 R2, create integrated installation media (slipstream) by adding the latest service pack and hotfixes for your operating system. As of September 2009, the latest service pack for Windows Server 2008 is Service Pack 2 (SP2). For information about obtaining the latest service pack, see article 968849 in the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkId=164585) and see Installing Windows Server 2008 with Service Pack 2 (http://go.microsoft.com/fwlink/? LinkId=164586). Windows Server 2008 R2 includes updates from Windows Server 2008 SP2. To make sure that you have all of the latest updates, see Windows Update (http://go.microsoft.com/fwlink/?LinkID=47290) or see article 968849 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164585) for download information. i. If you are deploying RODCs, review article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974). Download and install the hotfixes on the Windows computers and scenarios that apply to your computing environment. ii. For Windows Server 2008 R2: If Active Directory Management Tool (ADMT) 3.1 is installed on Windows Server 2008 computers that are being upgraded in-place to Windows Server 2008 R2, remove ADMT 3.1 before the upgrade; otherwise, it cannot be uninstalled. In addition, ADMT 3.1 cannot be installed on Windows Server 2008 R2 computers. iii. The following table lists hotfixes for Windows Server 2008. You can install a hotfix individually, or you can install the service pack that includes it.
Description
Service pack
Unexpected behavior occurs in the Windows Time service when you enable the Windows 961027 Windows Time Service Group Policy setting in Windows Server 2008 or in Windows Vista SP1 (http://go.microsoft.com/fwlink/? Server 2008 LinkId=182336) SP2 Domain controllers that are configured to use the Japanese language locale 949189 Windows (http://go.microsoft.com/fwlink/? Server 2008 LinkId=164588) SP2 948690 Not included in (http://go.microsoft.com/fwlink/? any Windows LinkID=106115) Server 2008 Service Pack 953317 Windows (http://go.microsoft.com/fwlink/? Server 2008 LinkId=164590) SP2 2001154 (http://go.microsoft.com/fwlink/? LinkId=165959) For prevention and resolution, To be included see 951430 in Windows (http://go.microsoft.com/fwlink/? Server 2008
EFS file access encrypted on a Windows Server 2003 file server upgraded to Windows Server 2008
Records on Windows Server 2008 secondary DNS server are deleted after zone transfer
Setting Locale information in Group Policy Preferences causes Event Log and dependent services to fail. If you change Regional Option User Locale enabled, the Windows Event Log Service, DNS Server Service, and task Scheduler Service fail to start.
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
8/17
LinkId=165960).
SP3
949360 Windows (http://go.microsoft.com/fwlink/? Server 2008 LinkID=184908) SP2 957579 Windows (http://go.microsoft.com/fwlink/? Server 2008 LinkId=178224) SP2 943729 Windows (http://go.microsoft.com/fwlink/? Server 2008 LinkId=164591) SP2 974266 (http://go.microsoft.com/fwlink/? LinkID=165035)
If you use devolution to resolve DNS names (instead of suffix search list), apply the DNS devolution hotfix.
Synchronize the Directory Services Restore Mode (DSRM) Administrator password with a 961320 domain user account (http://go.microsoft.com/fwlink/? LinkId=177814) An application that uses Crypt32.dll crashes on a computer that is running Windows Vista or Windows Server 2008 982416 Windows (http://go.microsoft.com/fwlink/? Server 2008 LinkID=196889) SP3 2379016 Windows (http://go.microsoft.com/fwlink/? Server 2008 LinkId=199533) SP3 2408181 Windows (http://go.microsoft.com/fwlink/? Server 2008 LinkId=204910) SP3 2571564 Windows Vista SP3 or Windows Server 2008 SP3
If you have Windows Server 2008 servers that are running IIS, hosting SSL certs, then you may need to install the hotfix in article 2379016
AAAA record of a Windows Server 2008 domain controller is deleted automatically if the domain controller uses an Active Directoryintegrated zone and has a Microsoft 6to4 adapter Add Printer Wizard lists published printers in AD DS slowly in Windows Vista or in Windows Server 2008
Note
If you are operating a domain with domain controllers that run Windows Server 2003 and Windows Server 2008, install hotfix 939820 (http://support.microsoft.com/kb/939820). The following table lists hotfixes for Windows Server 2008 R2.
Description Windows Server 2008 R2 Dynamic DNS updates to BIND servers log NETLOGON event 5774 with error status 9502 Event ID 1202 logged with status 0x534 if security policy modified TimeZoneKeyName registry entry name is corrupt on 64-bit upgrades
Occurs only on x64-based server upgrades in Dynamic DST time zones. To see if your servers are affected, click the taskbar clock. If the clock fly-out indicates a time zone problem, click the link to open the date and time control panel. Some deleted objects that are nearing the tombstone lifetime may still exist on the source of a replication agreement and have an attribute added to the partial attribute set of the object that should be replicated out. If the same object was garbage-collected on the target domain controller when it was replicated, the destination domain controller logs Event ID 1988 and possibly Event ID 1388. The KB article describes a workaround. A hotfix is also included in Windows Server 2008 R2 SP1.
Windows Server 2008 R2 DNS 832223 (http://go.microsoft.com/fwlink/? servers that use root hints are LinkId=186576) unable to resolve some DNS queries.
article 978055
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
9/17
Digest authentication fails on a Windows XP or Windows Server 2003 member server when authenticating against a Windows Server 2008 R2 domain controller In Windows Server 2008 R2, the DNS Server service might crash when it handles many concurrent queries that are submitted through the DNS server plug-in interface
Slow performance occurs when 2545833 Windows Server 2008 R2 SP2 many user authentication requests (http://support.microsoft.com/kb/2545833) are handled in Windows Server 2008 R2 Scalability decreases R2 if more memory is of the I/O performance in Windows Server 2008 than 256 GB of physical used 2566205 Windows Server 2008 R2 SP2 (http://support.microsoft.com/kb/2566205)
Tuple index is corrupted in a Windows Server 2008 R2 domain ILM Management Agents and Windows 2008 Active Directory
2566592 Windows Server 2008 R2 SP2 (http://support.microsoft.com/kb/2566592) 2018683 N/A (http://support.microsoft.com/kb/2018683) MIIS 2003 and ILM 2007 will work with a forest upgrade to Windows Server 2008 R2 as long as the Active Directory Recycle Bin feature is not enabled. Use ILM 2007 SP1 or FIM 2010 to synchronize operations that involve Active Directory Recycle Bin.
If you have a Group Policy central store that is hosted with Windows Server 2008 administrative template (ADMX) files, you may have to upgrade the ADMX files or remove the central store. For more information, see Windows 7, Windows Server 2008 R2 and the Group Policy Central Store (http://go.microsoft.com/fwlink/?LinkId=182337).
This section describes how to run the following adprep commands. Add schema changes using adprep /forestprep If you are deploying RODCs, run adprep /rodcprep Run adprep /domainprep /gpprep If you encounter errors when you run an Adprep command, see Adprep errors.
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
10/17
If you copy Adprep.exe from the installation media to a local computer or a network share, copy the entire adprep folder and provide the full path to the Adprep.exe file. 3. Update the forest schema with adprep /forestprep. While you are still logged on to the console of the schema master with an account that has Enterprise Admins, Schema Admin, and Domain Admin credentials, run the appropriate version of adprep /forestprep from the Windows Server 2008 or Windows Server 2008 R2 installation media. Specify the full path to Adprep.exe to prevent running another version of Adprep that may be present in the PATH environment variable. For example, if you are running the Windows Server 2008 version of Adprep from a DVD drive or network path that is assigned the drive letter D:, the command to run is as follows:
>:sucsape\drp/oetrp D\ore\drpape frspe The syntax for running Windows Server 2008 R2 Adprep on a 64-bit schema master is as follows:
<v dielte>\upr\drpape /oetrp dd rv etr:spotape\drp frspe The syntax for running Windows Server 2008 R2 Adprep on a 32-bit, x86-based schema master is as follows:
D\upr\drpape3 /oetrp :spotape\drp2 frspe For a list of operations that Windows Server 2008 adprep /forestprep performs, see Windows Server 2008: Forest-Wide Updates (http://go.microsoft.com/fwlink/?LinkId=164636). For a list of operations that Windows Server 2008 R2 adprep /forestprep performs , see Windows Server 2008 R2: Forest-Wide Updates (http://go.microsoft.com/fwlink/?LinkId=164637). If you encounter errors, see Forestprep errors later in this topic.
Note
Rodcprep will run on any member computer or domain controller in the forest if you are logged on with Enterprise Admin credentials. You can run adprep /rodcprep before or after adprep /domainprep. We recommend running adprep /rodcprep on the schema master immediately after adprep /forestprep as a matter of convenience because that operation also requires Enterprise Admins credentials. For Windows Server 2008 Rodcprep, specify the full path to Adprep. For example, if the DVD or network path is assigned drive D:, run the following command:
c\idw >:sucsape\drp/ocrp :wnos D\ore\drpape rdpe For Windows Server 2008 R2: 1. If the computer where you run Rodcprep is a 64-bit computer, run the following command:
D\upr\drpape /ocrp :spotape\drp rdpe 2. If the computer where you run Rodcprep is a 32-bit computer, run the following command:
D\upr\drpape3 /ocrp :spotape\drp2 rdpe If you encounter errors, see Rodcprep errors later in this topic. Before you deploy RODCs, install the RODC compatibility pack on computers that Windows XP or Windows Server 2003 as needed. For more information, see article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974).
Note
You do not have to add the /gpprep parameter in the following command if you already ran it for Windows Server 2003.
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
11/17
<rv>\pt>ape /oanrp/prp die:<ah\drp dmipe gpe For example, if the DVD or network path is assigned drive D, use the following syntax:
D\ore\drpape /oanrp/prp :sucsape\drp dmipe gpe For Windows Server 2008 R2: If the infrastructure master is 64-bit, use the following syntax:
D\upr\drpape /oanrp/prp :spotape\drp dmipe gpe If the infrastructure master is 32-bit, use the following syntax:
D\upr\drpape3 /oanrp/prp :spotape\drp2 dmipe gpe If you encounter errors, see Domainprep errors later in this topic
For background information about which types of operating systems and domain controllers can be upgraded, see Supported in-place upgrade paths. This section includes the following topics: Upgrading and promoting new domain controllers into an existing domain Post-installation tasks Fixes to install after AD DS installation
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
12/17
the Microsoft Knowledge base (http://go.microsoft.com/fwlink/?LinkID=164588). The hotfix should be installed immediately after promotion and before the first boot into normal mode. 3. From the Windows Start menu, run Dcpromo.exe (or install the Active Directory Domain Services Role in Server Manager, and then run Dcpromo). 4. When the AllowNT4Crytpo page appears, read article 942564 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=164558) consider the right setting for AllowNT4Cryto for your environment. 5. If you encounter an error, see the list of Dcpromo errors at the end of this topic. Do the following if you are performing an in-place upgrade of Windows Server 2008 RODCs into existing Windows Server 2003 domains, Windows Server 2008 domains, or domains that have a mix of those operating systems: 1. If the option to install RODC is not available in Dcpromo, verify that the forest functional level is Windows Server 2003 or higher. 2. If the option to install RODC is not available and the error message indicates that there is no Windows Server 2008 in the domain, verify that a Windows Server 2008 domain controller exists in the domain and that it is accessible on the network to the RODC that you are promoting. 3. If an error message indicates that access is denied, see the Microsoft Knowledge Base.
Post-installation tasks
For all domain controllers: Configure the forest root PDC with an external time source. For more information, see Configure the forest root PDC with an external time source (http://go.microsoft.com/fwlink/?LinkId=91969). Enable delete protection on organizational units (OUs) and other strategic containers to prevent accidental deletions. Make a system state backup of upgraded and newly promoted domain controllers. If you promoted the first domain controller in a new domain and do not yet have additional domain controllers, making a system state backup is more important for recovering accidental deletions. For more information, see AD DS Backup and Recovery Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=190448). Use only Active Directoryaware backup applications to restore domain controllers or roll back the contents of AD DS. Restoring snapshots that were created by imaging software is not supported on domain controllers.
Note
It is impossible to provide a complete list of hotfixes. The following is a list of hotfixes that are available as of October 2010 that focus on the AD DS and DNS Server roles.
Hotfix
Article 949189 (http://go.microsoft.com/fwlink/?LinkID=164588): Japanese Language Locale
Not applicable
Not applicable
Not applicable
Not applicable
Article 971438 (http://go.microsoft.com/fwlink/?LinkId=185193): A GPO is not applied to a computer that is a member of a nested group
Not applicable
Article 981370 (http://go.microsoft.com/fwlink/?LinkId=206168):The DNS Server service on an RODC does not respond to DNS queries for several minutes if the link to some RWDCs breaks in Windows Server 2008
Not applicable
Article 976494 (http://go.microsoft.com/fwlink/?LinkId=206174):Error 1789 when you use the Not applicable LookupAccountName function on a computer that is running Windows 7 or Windows Server 2008 R2
Install MSKB 976494 or Windows Server 2008 R2 SP1 when available. Install MSKB 978277 or
Not applicable
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
13/17
exist
Windows Server 2008 R2 SP1 when available. Install MSKB 978387 or Windows Server 2008 R2 SP1 when available. Install MSKB 978516 or Windows Server 2008 R2 SP1 when available. Install MSKB 978837 or Windows Server 2008 R2 SP1 when available. Install MSKB 2309290 or Windows Server 2008 R2 SP1 when available. Install MSKB 2413670 or Windows Server 2008 R2 SP2 when available.
Article 978387 (http://go.microsoft.com/fwlink/?LinkId=184915): Dcdiag fails with error code 0x621 Not applicable
Article 978516 (http://go.microsoft.com/fwlink/?LinkId=185190): Significant delays when you read the same set of files several times
Not applicable
Article 978837 (http://go.microsoft.com/fwlink/?LinkId=185191): Group Policy Management Editor window crashes when you apply some changes for NRPT policy settings
Not applicable
Article 2309290 (http://go.microsoft.com/fwlink/?LinkId=204904): The DNS Server service does not Not applicable respond to multi-label name resolution request correctly when background zone loading occurs in Windows Server 2008 R2 Article 2413670 (http://go.microsoft.com/fwlink/?LinkId=214821) Events 1659, 1481, and 1173 are recorded in the Directory Service event log on Windows Server 2008 R2-based domain controllers after you remove Active Directory Domain Services from the last domain controller in a tree root domain Article 983534 (http://go.microsoft.com/fwlink/?LinkId=215717) Performance of the DNS Server service keeps decreasing under a heavy load situation in Windows Server 2008 R2 Not applicable
Not applicable
Install MSKB 983534 or Windows Server 2008 R2 SP2 when available. Install MSKB 2522461 or Windows Server 2008 R2 SP2 when available. Install MSKB 2548145 or Windows Server 2008 R2 SP2 when available. Install MSKB 2520155 or Windows 7 SP2 or Windows Server 2008 R2 SP2 when available. Install MSKB 2499016 or Windows 7 SP2 or Windows Server 2008 R2 SP2 when available. Install MSKB 2457402 or Windows Server 2008 R2 SP2 when available. Install the hotfix on the RODC.
Article 2522461 Filtering does not work in the DNS Manager snap-in when you reverse lookup DNS zones to filter records in Windows Server 2008 R2
Not applicable
Article 2548145 The size of the Active Directory increases rapidly on a Windows Server 2008 R2based domain controller that hosts the DNS Server role
Not applicable
Article 2520155 DNS Host record of a computer is deleted after you change the DNS server assignment
Install MSKB 2520155 or Vista SP3 or Windows Server 2008 SP3 when available. Install MSKB 2518874 or Vista SP3 or Windows Server 2008 SP3 when available. Not applicable
Articles 2499016 and 2518874 The Windows Event Log service may crash
Article 2457402 You experience delays with an application or service that uses NTDSA APIs for passing changes from RWDC data centers to RODC data centers
For RODCs: If you are deploying RODCs, install the hotfix in article 953392 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=150337) on all Windows Server 2008 writable domain controllers. This fix is not required on Windows Server 2008 R2 writable domain controllers. Read article 944043 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122974), and install the corrective fixes on the Windows client and server computers that are affected by the scenarios that are listed in the Knowledge Base article.
Troubleshooting errors
This section describes errors in Adprep.exe and Dcpromo.exe. If you encounter an error that is not covered, search site:Microsoft.com: error description or post your problem to the following community sites: Directory Services (http://go.microsoft.com/fwlink/?LinkId=166141) Discussions in microsoft.public.windows.server.active_directory (http://go.microsoft.com/fwlink/?LinkId=166142)
Adprep errors
These sections describe errors for the forestprep, domainprep, and rodcprep commands.
Forestprep errors
If an error message indicates that the schema operations master is assigned to a deleted domain controller, see the Microsoft Knowledge Base. If the error message says Adprep was unable to extend the schema or Adprep failed to verify whether the schema master has completed a replication cycle after last reboot, verify that the schema master has inbound-replicated the schema partition since the reboot. See Force a replication event with all partners in Forcing Replication (http://go.microsoft.com/fwlink/?LinkId=164668), and run the repadmin /syncall command. If the error message says The callback function failed, see Adprep was unable to complete because the call back function failed in Running
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
14/17
Adprep.exe (http://go.microsoft.com/fwlink/?LinkId=164669). If the error message says There is a schema conflict with Exchange 2000. The schema is not upgraded., see article 314649 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166190). If the error message says An attribute with the same link identifier already exists, see article 969307 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=164670). For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).
Domainprep errors
1. If the error message says Adprep detected that the domain is not in native mode, see Raise the domain functional level (http://go.microsoft.com/fwlink/?LinkID=141249). 2. If the error message indicates that the callback function failed, see Adprep was unable to complete because the call back function failed in Running Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=164669). 3. For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).
Rodcprep errors
1. If Rodcprep fails with the error message Adprep could not contact a replica for partition <distinguished name for the forest-wide or domain-wide DNS application partition> that is documented in article 949257 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=140285), run the Fixfsmo.vbs script in the same article, and then rerun Rodcprep until it runs successfully. 2. For all other error messages, run a query for the error message that is enclosed in quotation marks at Microsoft Help and Support (http://go.microsoft.com/fwlink/?LinkID=56290).
Dcpromo errors
1. If the upgrade rolls back without any onscreen error or recorded error in a debug log, verify that you have sufficient free disk space on the volumes that are hosting %systemdrive, Ntds.dit, and SYSVOL. 2. If an error message says "To install a domain controller into this Active Directory forest, you must first prepare the forest using ""adprep /forestprep"" ", verify that /forestprep has been run and that the helper domain controller has inbound-replicated /forestprep changes. For more information, see Running adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597). 3. If an error message says "To install a domain controller into this Active Directory domain, you must first prepare the forest using ""adprep /domainprep"" and verify that /domainprep has been run and that the helper domain controller has inbound-replicated /domainprep changes. For more information, see Running adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597). 4. If an error message says: The operation failed because: The attempt to join this computer to the <target DNS domain> failed. The specified user already exists. The cause is that the computer being promoted has identified a previously promoted computer account in the target domain with the same host name. To resolve this error: a. If computer being promoted is replacing a previously demoted domain controller with the same computer name, verify that metadata for demoted domain controller is removed from AD DS, and retry the promotion. For more information, see Cleaning metadata of removed writable domain controllers. b. If then error persists, review the %systemroot%\debug\DCPROMOUI.LOG to identify the name of the replication source domain controller that is being used by domain controller being promoted. c. Verify that the replication source domain controller has inbound replicated the removal of the conflicting domain controller account. Failure of the removal to replicate to the source domain controller could be caused by replication failure or replication latency. d. The error can have other root causes. For more information, see the following articles in the Microsoft Knowledge Base: 266633 (http://go.microsoft.com/fwlink/?LinkId=179118) 273875 (http://go.microsoft.com/fwlink/?LinkId=179119) 938447 (http://go.microsoft.com/fwlink/?LinkId=179120) 5. If an error message says: You cannot install an additional domain controller at this time because the RID master <domain controller name> is offline or You will not be able to install a writable domain controller at this time because the RID master <domain controller name> is offline. Do you want to continue? The cause is that Dcpromo attempts to identify the owner of the RID Master role by reading the fsmoRoleOwner attribute of CN=RID Manager$,CN=System,DC=<domain> and extracting the dnsHostName of the RID Master. Dcpromo then tries to initiate an LDAP connection over port 389 to the RID Master Server using its fully qualified computer name. If the LDAP connection fails for any reason, Dcpromo determines the RID Master to be offline. Initial sync failures by the RID FSMO should not cause this error. a. Run repadmin /showattr fsmo_rid: ncobj:domain: /filter:(objectclass=ridmanager) /subtree and either netdom query fsmo or dcdiag /test:<name of FSMO test>
b. The output of the repadmin command will include the fSMORoleOwner. If the fSMORoleOwner distinguished name path that is returned from the command in the previous step is mangled or assigned to a deleted domain controller, remove the metadata for that domain controller and seize the role to a live domain controller that hosts a writable copy of the domain partition.
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
15/17
c. Verify that RID master role is assigned to a live domain controller that has successfully inbound-replicated the domain directory partition since it last restarted from at least one other domain controller in the same domain. d. If the current role holder is the only live domain controller in the domain but its copy of Active Directory or AD DS refers to domain controllers that no longer exist, remove the stale metadata for those domain controllers, restart the live domain controller, and try promotion again. For more information, see article 2009385 in the Microsoft Knowledge Base. 6. If a warning indicates that there is no static IP address configured for an IPv6 address on a Windows Server 2008 domain controller, click Yes and complete the wizard. 7. If the check box for installing the DNS Server role is unavailable, either the Active Directory domain has a single-label DNS name or Dcpromo.exe cannot discover another Microsoft DNS server in the domain. 8. If you see the error message A delegation for this DNS Server cannot be created because the authoritative parent zone cannot be found, see Known Issues for Installing and Removing AD DS (http://go.microsoft.com/fwlink/?LinkId=164418). 9. If you see the error message The DNS zone could not be created...," see the Microsoft Knowledge Base. 10. If Event ID 16651 appears in the Directory Services log, see article 316201 (http://go.microsoft.com/fwlink/?LinkId=184855) in the Microsoft Knowledge Base. 11. If the system is unable to share SYSVOL, see the Microsoft Knowledge Base. 12. If Dcpromo fails with an error message that says Failed to modify the necessary properties for the machine account. Access is denied, make sure that administrators are granted the Enable computer and user accounts to be trusted for delegation permission in Default Domain Controllers Policy and that the policy has been linked to the Domain Controllers OU. Also make sure that the helper domain controllers machine account resides in the Domain Controllers OU and that it has successfully applied policy. For more information, see article 232070 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=166198). 13. If Dcpromo fails with an error message that says Active Directory could not create the NTDS Settings object for this domain controller, see the Microsoft Knowledge Base. In the domain controller is multihomed, disable host (A) resource record registration by network adapters that are not available to calls on the production network. In the domain controller is multihomed and a network cable is not attached to a network adapter, disable unused network adapters to prevent them from registering host (A) resource records for APIPA assigned addresses (169.254.*.*) that can never be resolved by clients. You should also enable DNS scavenging and aging. For more information, see Enable Aging and Scavenging for DNS (http://go.microsoft.com/fwlink/? LinkId=184877).
Yes
No
Community Content
Confusing statement about management tools
windows Server 2003 St Running Domain, we are plan Domain upgrade on Microsoft windows server 2008 R Ent 64bit on Hyper-V Please suggested
11/20/2009 Modeverything
Typo
Functional level features and requirements and considerations for operatiosn master roles should be Functional level features and requirements and considerations for operations master roles JH: this is fixed, thanks.
2/6/2012 CarlWebster
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
16/17
Seems that the 2008 R2 machine HAS to have the Primary DNS set to the address in the domain... I had set it up off the network and had set the primary to my ISP's DNS... Swapped addresses and in like Flint!!
2/14/2011 PDX-Mike
1/28/2011 HC4066
DCPROMO Errors
I am unable to get any helpful results for the following. If an error message says You cannot install an additional domain controller at this time because the RID master <domain controller name> is offline. or You will not be able to install a writable domain controller at this time because the RID master <domain controller name> is offline. Do you want to continue?, see the Microsoft Knowledge Base. If I search the KB then it only refers me back to this page? Any help will be appriciated.
12/4/2009 Justinha
11/14/2009 ShawnDup
technet.microsoft.com//upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
17/17